Skip to content

Commit

Permalink
Merge PR #4733 from @joshnck - Add DNS Rule For OneLaunch Update Service
Browse files Browse the repository at this point in the history 
new: DNS Query Request To OneLaunch Update Service 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
  • Loading branch information
@joshnck @nasbench
joshnck and nasbench authored Feb 26, 2024
1 parent dbdf7f2 commit a519886
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: experimental
description: |
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
- https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024/02/26
tags:
- attack.collection
- attack.t1056
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName: 'update.onelaunch.com'
Image|endswith: '\OneLaunch.exe'
condition: selection
falsepositives:
- Unlikely
level: low

0 comments on commit a519886

Please sign in to comment.